- From: Francois Daoust <fd@w3.org>
- Date: Wed, 01 Jul 2015 16:47:47 +0200
- To: public-web-security@w3.org
- CC: "public-secondscreen@w3.org" <public-secondscreen@w3.org>
Hello Web Security IG,
The Second Screen Working Group has published an updated Working Draft
of its Presentation API, which enables web content to access external
presentation-type displays and use them for presenting web content:
http://www.w3.org/TR/presentation-api/
The group would like to draw the attention of this group to this working
draft and request feedback on a couple of security issues.
Please note the group got in touch with the TAG on these issues, see
thread at:
https://lists.w3.org/Archives/Public/www-tag/2015Jul/0001.html
The main issue is with the specification of security requirements for
the messaging channel. As much as possible, the Presentation API will
remain agnostic of the protocol used for the messaging channel as long
as it is capable of carrying DOMString payloads in a reliable and
in-order fashion. A user agent could perhaps communicate with the second
device using the WebSockets protocol or a WebRTC data channel.
However, when the controlling page is loaded in a secure context, the
spec should set some guarantees of message confidentiality and
authenticity ("only secure WebSockets"). Do you have suggestions on ways
to specify security requirements in a generic manner?
See relevant discussion in:
https://github.com/w3c/presentation-api/issues/80
More generically, we invite you to check the initial security and
privacy considerations section and let us know about comments and
suggestions that you might have.
See evaluation in:
https://github.com/w3c/presentation-api/issues/45
Thanks,
Francois Daoust, Staff Contact
Second Screen Presentation Working Group
Received on Wednesday, 1 July 2015 14:48:00 UTC